On Hubris and Humility: when "write your own OS" isn't the worst idea

Hubris is a small open-source operating system for deeply-embedded computer
systems, such as our server's replacement for the Baseboard Management
Controller. Because our BMC replacement uses a lower-complexity microcontroller
with region-based memory protection instead of virtual memory, our options were
limited. We were unable to find an off-the-shelf option that met our
requirements around safety, security, and correctness, so we wrote one.

Hubris provides preemptive multitasking, memory isolation between
separately-compiled components, the ability to isolate crashing drivers and
restart them without affecting the rest of the system, and flexible
inter-component messaging that eliminates the need for most syscalls -- in about
2000 lines of Rust. The Hubris debugger, Humility, allows us to walk up to a
running system and inspect the interaction of all tasks, or capture a dump for
offline debugging.

However, Hubris may be more interesting for what it doesn't have. There are no
operations for creating or destroying tasks at runtime, no dynamic resource
allocation, no driver code running in privileged mode, and no C code in the
system. This removes, by construction, a lot of the attack surface normally
present in similar systems.

This talk will provide an overview of Hubris's design, the structure of a Hubris
application, and some highlights of things we learned along the way.